FDA Pilot SaMD Precertification Program Offers Few Insights

Lack of Regulatory Firewall an Issue

Along with many of our clients, we at Enzyme looked to the FDA pilot program for software precertification as a potential solution to many of the problems with the agency’s regulation of software as a medical device (SaMD). Unfortunately, it appears the precertification pilot was less than successful in providing a new regulatory path forward, the consequence of which is that many SaMD products will continue to require burdensome and frequent regulatory filings.


The most important overall finding in the September report may be that the FDA’s current statutory authorities do not allow it to implement a program based on the working model of the precertification pilot. The FDA stated that the required new statutory authorities would supplement rather than replace the established regulatory pathways, although no further details were offered. This question of statutory authorities was raised by three members of the U.S. Senate in 2018, who also asked whether the precertification concept would have led to an impermissible reduction in user fees collected by the agency.

Two other issues with the pilot were that the FDA was able to enlist only nine participants, and that the use of the de novo program as a model for review of the pilot devices had unintended consequences. Chief among these is that the special controls created by the de novo review process would have applied to devices outside the pilot due to the absence of a legal and regulatory barrier.
As a result of these two sets of limitations, the pilot was limited to a narrow group of devices that do not reflect the range of devices that would by regulated under a fully implemented precertification program.
There are two levels of certification, one of which allows only low-risk products to market without review and the second allowing the developer to put low- and moderate-risk software to market without review. However, the pilot’s mechanisms for evaluating the organization’s commitment to the principles might not have provided the needed assurance that even relatively low-risk devices could have been safely placed on the market without direct FDA review. Both clinical performance and cybersecurity were central to the agency’s concerns in this context. The solution to this issue could be the application of an adaptation of quality management system (QMS) principles along with the application of general and/or special controls that would allow some, but not all, of the developer’s products to market without a formal review. Again, however, details were sketchy.

Analytics Plan Required to Assess Real-world Performance

The working model of the precertification program describes the postmarket surveillance activities that would be necessary to implement the plan, consisting of three categories of real-world performance analytics (RWPAs). These analytics could draw on data generated by the devices themselves and by device registries, data commons, and other sources of electronic health information. We will leave aside the question of the cost of collecting and analyzing these data other than to state that those costs might be prohibitive for a small developer.